1
#ifndef _TLS_H_INCLUDED_
2
#define _TLS_H_INCLUDED_
8
/* libtls internal interfaces
17
#include <openssl/lhash.h>
18
#include <openssl/bn.h>
19
#include <openssl/err.h>
20
#include <openssl/pem.h>
21
#include <openssl/x509.h>
22
#include <openssl/x509v3.h>
23
#include <openssl/rand.h>
24
#include <openssl/ssl.h>
26
#if (OPENSSL_VERSION_NUMBER < 0x00905100L)
27
#error "need OpenSSL version 0.9.5 or later"
36
* TLS session context, also used by the VSTREAM call-back routines for SMTP
37
* input/output, and by OpenSSL call-back routines for key verification.
39
* XXX Eliminate fixed-length buffers where possible.
41
* XXX Eliminate the tls_info structure; it is no longer needed now that the
42
* TLScontext structure is exposed to the caller. If the caller's TLScontext
43
* pointer is null, there is no TLS session. This change (plus other
44
* changes) eliminated global variables that were shared between TLS client
45
* and server code. Multiple clients and/or servers can now co-exist in the
48
#define CCERT_BUFSIZ 256
49
#define HOST_BUFSIZ 255 /* RFC 1035 */
53
BIO *internal_bio; /* postfix/TLS side of pair */
54
BIO *network_bio; /* network side of pair */
55
char *serverid; /* unique server identifier */
56
char peer_subject[CCERT_BUFSIZ];
57
char peer_issuer[CCERT_BUFSIZ];
58
char peer_CN[CCERT_BUFSIZ];
59
char issuer_CN[CCERT_BUFSIZ];
60
unsigned char md[EVP_MAX_MD_SIZE];
61
char fingerprint[EVP_MAX_MD_SIZE * 3];
62
char peername_save[HOST_BUFSIZ + 1];
63
int enforce_verify_errors;
69
#define TLS_BIO_BUFSIZE 8192
71
#define NEW_TLS_CONTEXT(p) do { \
72
p = (TLScontext_t *) mymalloc(sizeof(*p)); \
73
memset((char *) p, 0, sizeof(*p)); \
77
#define FREE_TLS_CONTEXT(p) do { \
79
myfree((p)->serverid); \
80
myfree((char *) (p)); \
88
char *peer_fingerprint;
92
const char *cipher_name;
97
extern const tls_info_t tls_info_zero;
102
extern SSL_CTX *tls_client_init(int);
103
extern TLScontext_t *tls_client_start(SSL_CTX *, VSTREAM *, int, int,
104
const char *, const char *,
107
#define tls_client_stop(ctx , stream, timeout, failure, tls_info) \
108
tls_session_stop((ctx), (stream), (timeout), (failure), (tls_info))
113
extern SSL_CTX *tls_server_init(int, int);
114
extern TLScontext_t *tls_server_start(SSL_CTX *, VSTREAM *, int,
115
const char *, const char *,
118
#define tls_server_stop(ctx , stream, timeout, failure, tls_info) \
119
tls_session_stop((ctx), (stream), (timeout), (failure), (tls_info))
124
extern void tls_session_stop(SSL_CTX *, VSTREAM *, int, int, tls_info_t *);
130
extern VSTRING *tls_session_passivate(SSL_SESSION *);
131
extern SSL_SESSION *tls_session_activate(char *, int);
136
extern void tls_stream_start(VSTREAM *, TLScontext_t *);
137
extern void tls_stream_stop(VSTREAM *);
140
* tls_bio_ops.c: a generic multi-personality driver that retries SSL
141
* operations until they are satisfied or until a hard error happens.
142
* Because of its ugly multi-personality user interface we invoke it via
143
* not-so-ugly single-personality wrappers.
145
extern int tls_bio(int, int, TLScontext_t *,
146
int (*) (SSL *), /* handshake */
147
int (*) (SSL *, void *, int), /* read */
148
int (*) (SSL *, const void *, int), /* write */
151
#define tls_bio_connect(fd, timeout, context) \
152
tls_bio((fd), (timeout), (context), SSL_connect, \
154
#define tls_bio_accept(fd, timeout, context) \
155
tls_bio((fd), (timeout), (context), SSL_accept, \
157
#define tls_bio_shutdown(fd, timeout, context) \
158
tls_bio((fd), (timeout), (context), SSL_shutdown, \
160
#define tls_bio_read(fd, buf, len, timeout, context) \
161
tls_bio((fd), (timeout), (context), NULL, \
162
SSL_read, NULL, (buf), (len))
163
#define tls_bio_write(fd, buf, len, timeout, context) \
164
tls_bio((fd), (timeout), (context), NULL, \
165
NULL, SSL_write, (buf), (len))
170
extern void tls_set_dh_1024_from_file(const char *);
171
extern void tls_set_dh_512_from_file(const char *);
172
extern DH *tls_tmp_dh_cb(SSL *, int, int);
177
extern RSA *tls_tmp_rsa_cb(SSL *, int, int);
182
extern int tls_verify_certificate_callback(int, X509_STORE_CTX *, int);
184
#define TLS_VERIFY_DEFAULT (0)
185
#define TLS_VERIFY_PEERNAME (1<<0)
190
extern int tls_set_ca_certificate_info(SSL_CTX *, const char *, const char *);
191
extern int tls_set_my_certificate_key_info(SSL_CTX *, const char *,
199
extern int TLScontext_index;
201
extern void tls_print_errors(void);
202
extern void tls_info_callback(const SSL *, int, int);
203
extern long tls_bio_dump_cb(BIO *, int, const char *, int, long, long);
208
extern void tls_int_seed(void);
209
extern int tls_ext_seed(int);
212
* tls_temp.c, code that is going away.
214
#endif /* TLS_INTERNAL */
219
/* The Secure Mailer license must be distributed with this software.
222
/* IBM T.J. Watson Research
224
/* Yorktown Heights, NY 10598, USA
227
#endif /* _TLS_H_INCLUDED_ */